Control Information

AT-3 Role-Based Security Training

Description

Before authorizing access to the information system or performing assigned duties;

When required by information system changes; and

[Assignment: organization-defined frequency] thereafter.

Control Information

Responsible role(s) - Organization

AT-3 (1) Environmental Controls

Description

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.

Control Information

Responsible role(s) - Organization

AT-3 (2) Physical Security Controls

Description

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.

Control Information

Responsible role(s) - Organization

AT-3 (3) Practical Exercises

Description

The organization includes practical exercises in security training that reinforce training objectives.

Control Information

Responsible role(s) - Organization

AT-3 (4) Suspicious Communications And Anomalous System Behavior

Description

The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.